b"Audit of Follow-up Review of Recommendation No. 1\nfrom Audit Report No. 4-674-02-002-P, Audit of\nUSAID/South Africa\xe2\x80\x99s Information Systems General\nComputer Controls\nAudit Report No. 4-674-04-003-P\nJanuary 12, 2004\n\n\n\n\n            PRETORIA, SOUTH AFRICA\n\x0cJanuary 12, 2004\n\n\nMEMORANDUM\nFOR:           USAID/South Africa Director, Dirk Dijkerman\n\nFROM:          Regional Inspector General/Pretoria, Jay Rollins /s/\n\nSUBJECT:       Audit of Follow-up Review of Recommendation No. 1 from Audit Report\n               No. 4-674-02-002-P, Audit of USAID/South Africa\xe2\x80\x99s Information\n               Systems General Computer Controls (Report No. 4-674-04-003-P)\n\nThis memorandum is our report on the subject audit. In finalizing this report, we\nconsidered management comments on the draft report and have included those\ncomments, in their entirety, as Appendix II in this report.\n\nThis report has two recommendations. In response to the draft report, USAID/South\nAfrica concurred with and included corrective action plans and target completion dates\nfor both recommendations. Therefore, we consider that management decisions have been\nreached on both recommendations. Please provide the Bureau for Management, Office of\nManagement Planning and Innovation with evidence of final actions in order to close the\nrecommendations.\n\nI appreciate the cooperation and courtesy extended to my staff throughout the audit.\n\x0c[This page intentionally left blank.]\n\x0c           Summary of Results............................................................................................. 5\nTable of\nContents   Background .......................................................................................................... 5\n\n           Audit Objective.................................................................................................... 6\n\n           Audit Findings ..................................................................................................... 7\n\n                      Has USAID/South Africa taken corrective final actions on\n                      Recommendation No. 1 of Audit Report No. 4-674-02-002-P,\n                      Audit of USAID/South Africa\xe2\x80\x99s Information Systems General\n                      Computer Controls? ................................................................................ 7\n\n                              Mission Contingency Plan Needs\n                              To Be Completed and Tested.......................................................... 8\n\n                              Mission Needs to Correct and Complete\n                              Its Security Review Questionnaire.................................................. 9\n\n           Management Comments and Our Evaluation .................................................... 11\n\n           Appendix I-Scope and Methodology ................................................................. 13\n\n           Appendix II-Management Comments................................................................ 15\n\n\n\n\n                                                                                                                                     3\n\x0c[This page intentionally left blank.]\n\n\n\n\n                                        4\n\x0cSummary of   The Regional Inspector General, Pretoria conducted this audit to determine whether\nResults      USAID/South Africa took corrective final actions on Recommendation No. 1 of the\n             Office of Inspector General\xe2\x80\x99s Audit Report No. 4-674-02-002-P. Recommendation\n             No. 1 included five components for implementing a computer security program at\n             USAID/South Africa (see page 6).\n\n             This audit found that USAID/South Africa had taken corrective final actions on three\n             of the five components addressed in Recommendation No. 1. Improvements were\n             made in (1) conducting risk assessments, (2) developing and maintaining an\n             information systems security plan, and (3) implementing effective access controls.\n             However, the Mission\xe2\x80\x99s actions did not sufficiently address two components in\n             Recommendation No. 1. The Mission had not adequately prepared and tested an\n             information systems contingency plan nor properly evaluated and monitored the\n             effectiveness of its security program (see pages 7-10).\n\n             This report contains two recommendations to help USAID/South Africa improve\n             its computer security program in the two areas mentioned above (see pages 9 and\n             10).\n\n             In response to the draft report, USAID/South Africa concurred with both\n             recommendations contained in the report. The Mission included corrective action\n             plans and target completion dates for both recommendations. Therefore, we\n             consider that management decisions have been reached on both recommendations\n             upon final report issuance (see page 11).\n\n\nBackground   General computer controls are the structure, policies, and procedures that apply to\n             all or a large segment of an entity\xe2\x80\x99s information systems and that help ensure their\n             proper operation. The primary objectives of general controls are to safeguard data,\n             protect computer application programs and system software from unauthorized\n             access, and ensure continued computer operations in case of unexpected\n             interruptions. USAID places extensive reliance on information systems to process\n             data. Therefore, it is critical for USAID to maintain adequate internal controls over\n             its financial and management systems. At USAID/South Africa, the Data\n             Management Division (DMD) is responsible for managing, operating and\n             maintaining the Mission\xe2\x80\x99s information systems. DMD is responsible for:\n\n                \xe2\x80\xa2   Establishing information system computer processing requirements.\n\n                \xe2\x80\xa2   Processing requests for user access to the system.\n\n                \xe2\x80\xa2   Providing related computer services.\n\n                \xe2\x80\xa2   Monitoring and maintaining the system in compliance with USAID policies\n                    and procedures.\n\n\n                                                                                                5\n\x0c            On January 15, 2002, the Office of Inspector General (OIG) issued Audit Report No.\n            4-674-02-002-P. The report addressed OIG concerns regarding USAID/South\n            Africa\xe2\x80\x99s ineffective general controls over the computer processing environment.\n            This situation occurred because USAID/South Africa had not implemented a\n            security program that fully met the requirements of the Computer Security Act of\n            1987, Office of Management and Budget\xe2\x80\x99s Circular A-130, or USAID Automated\n            Directives System 545. Therefore, the OIG recommended that USAID/South Africa\n            implement a computer security program that included:\n\n                1. Conducting risk assessments.\n\n                2. Developing and maintaining an information systems security plan.\n\n                3. Implementing effective access controls.\n\n                4. Preparing and testing an information systems contingency plan.\n\n                5. Evaluating and monitoring the effectiveness of its security program.\n\n            Henceforth, for clarity, this audit report will refer to each of the components\n            addressed in Recommendation No. 1 by the numbering scheme provided above.\n\n            On March 26, 2003, USAID/South Africa submitted a memorandum to USAID\xe2\x80\x99s\n            Office of Management Planning and Innovation (MPI) that requested that MPI close\n            the recommendation made in Audit Report No. 4-674-02-002-P. The memorandum\n            documented actions taken by the Mission and provided information on the\n            implementation of the audit recommendation. Based on the Mission\xe2\x80\x99s submission,\n            MPI closed the recommendation on March 28, 2003. The audit in this report covers\n            the period from January 2002 through October 2003.\n\n\nAudit       This recommendation follow-up audit was conducted in accordance with the U.S.\nObjective   Office of Management and Budget\xe2\x80\x99s Circular No. A-50 and Office of Inspector\n            General (OIG) audit policy, which requires the OIG to follow-up on\n            recommendations that have been closed. Specifically, the audit was conducted to\n            answer the following question:\n\n            \xe2\x80\xa2       Has USAID/South Africa taken corrective final actions on\n                    Recommendation No. 1 of Audit Report No. 4-674-02-002-P, Audit of\n                    USAID/South Africa\xe2\x80\x99s Information Systems General Computer Controls?\n\n            Appendix I contains a discussion of the audit's scope and methodology.\n\n\n\n\n                                                                                            6\n\x0cAudit Findings    Has USAID/South Africa taken corrective final actions on Recommendation\n                  No. 1 of Audit Report No. 4-674-02-002-P, Audit of USAID/South Africa\xe2\x80\x99s\n                 Information Systems General Computer Controls?\n\n                 USAID/South Africa has taken corrective final actions on three of the five\n                 components addressed in Recommendation No. 1. However, the Mission still\n                 needs to take further corrective actions on two important components addressed in\n                 Recommendation No. 1. These two components relate to developing and testing a\n                 contingency plan and to providing a security review.\n\n                 In response to Recommendation No. 1, the Mission has taken corrective final\n                 actions to enhance three components of its general computer controls. These\n                 components were related to: conducting risk assessments (component #1),\n                 developing and maintaining an information systems security plan (component #2),\n                 and implementing effective access controls (component #3). The Mission addressed\n                 component #1 by conducting a risk assessment of potential threats and identifying\n                 associated countermeasures to mitigate those threats. Component #2 was addressed\n                 when the Mission\xe2\x80\x99s security plan was approved by Mission management on March\n                 7, 2003, and updated on September 26, 2003. The Mission also implemented\n                 effective access controls by having a restricted access-controlled computer server\n                 room and by requiring signatures from the Mission\xe2\x80\x99s management prior to granting\n                 an individual computer system access.1 Additional access controls included\n                 requirements that computer system users need a security clearance and that\n                 individuals sign a computer system \xe2\x80\x9crules of individual behavior.\xe2\x80\x9d2\n\n                 In spite of improvements made, the Mission still needs to take additional\n                 corrective actions to further strengthen the Mission\xe2\x80\x99s general computer controls.\n                 Mission actions did not adequately support preparing and testing an information\n                 systems contingency plan (component #4) or evaluating and monitoring the\n                 effectiveness of its security program (component #5). Instead of reopening the\n                 January 2002 recommendation verbatim, we are rewording a portion of the\n                 original recommendation and reissuing it as two new recommendations. These\n                 new recommendations will only focus on corrective actions for components #4\n                 and #5, while taking into account the actions that the Mission had already\n                 implemented for components #1 through #3.\n\n\n\n\n                 1\n                  USAID Computer System Access & Termination Request, AID 545-4 (06/2001).\n                 2\n                  USAID Unclassified Information Systems Access Request Acknowledgement, AID 545-1\n                 (06/2001).\n\n\n                                                                                                     7\n\x0cMission Contingency Plan Needs\nTo Be Completed and Tested\n\nA complete and tested contingency plan is required by both the U.S. Office of\nManagement and Budget (OMB) under Circular A-130 and by USAID\xe2\x80\x99s\nAutomative Directives System (ADS) 545. USAID/South Africa did not have a\ncompleted and tested contingency plan. The contingency plan had not been\ncompleted because the Mission\xe2\x80\x99s staff was involved with other responsibilities\nthat were deemed of higher priority than completing the draft contingency plan.\nBecause the plan was still in draft form, it had not been tested. Until the Mission\nhas a complete and tested contingency plan, the Mission\xe2\x80\x99s ability to process,\nretrieve, and protect information necessary to accomplish its mission in the event\nof an emergency remains at risk.\n\nBoth OMB and USAID have requirements that address the need for developing\nand testing a contingency plan. OMB\xe2\x80\x99s Circular A-130, Appendix III, requires\nagencies to establish and periodically test systems\xe2\x80\x99 capabilities to continue\nproviding service based upon the needs and priorities of system participants.\nAccording to ADS 545, the System Manager and designated Information Systems\nSecurity Officer (ISSO) must: (1) review, update (if necessary), and test all\nemergency action plans annually or when significant modifications are made to\nsystem hardware, software, or system personnel, and (2) retain copies of the most\nrecent contingency operation, disaster recovery and emergency action plans in the\ncentral system file and at the off-site back-up facility. The Directive further states\nthat each member of the system staff and the designated ISSO must receive\ntraining in the implementation of emergency procedures and be afforded\nopportunities to periodically practice the procedures.\n\nRecommendation No. 1, component #4, recommended that USAID/South Africa\nimplement a computer security program that included preparing and testing an\ninformation systems contingency plan. When the recommendation was made, the\ncontingency plan was not complete\xe2\x80\x94it lacked several important items. These items\nincluded selecting an alternate off-site computing location for emergency\nsituations and selecting members for contingency teams, who would be\nresponsible for responding to emergency situations. At that time, the Mission\nstated that because it was in the process of transitioning from one operating system\nto another, it planned to complete and test the contingency plan once the new\noperating system was installed. However, two years after installing the new\noperating system, the contingency plan has still not been tested.\n\nThe draft contingency plan had not been completed because it had been a lower\npriority activity for the Mission. Among the higher priorities that faced the staff\nresponsible for the contingency plan was their work related to the Mission\xe2\x80\x99s move\ninto its new building in October 2002. Because the contingency plan was not\ncomplete, it had not been tested. Until a contingency plan is completed and tested,\n\n\n\n\n                                                                                    8\n\x0cthe Mission will continue to be exposed to the same vulnerabilities identified in\nAudit Report No. 4-674-02-002-P. That audit report stated the following:\n\n       A contingency plan that clearly provides information on supporting\n       resources that will be needed in emergency situations, roles and\n       responsibilities of those who will be involved in recovery activities,\n       and procedures for restoring critical applications and their order in\n       the restoration process would help ensure the Mission\xe2\x80\x99s ability to\n       operate if services are interrupted. Without a prepared and tested\n       contingency plan, the Mission may not be able to process, retrieve\n       and protect information maintained electronically or accomplish its\n       mission in emergency situations.\n\nIn conclusion, USAID/South Africa management will need to designate the\ncompletion and testing of an information systems contingency plan as a high priority\nin order to accomplish its mission in emergency situations. Without a complete and\ntested contingency plan, USAID/South Africa cannot expect its staff to be able to\nrespond positively and efficiently to mitigating emergency situations that may\nnegatively impact the Mission\xe2\x80\x99s information systems.\n\n       Recommendation No. 1: We recommend that USAID/South\n       Africa complete and test its information systems contingency\n       plan.\n\nMission Needs to Correct and Complete\nIts Security Review Questionnaire\n\nOMB\xe2\x80\x99s Circular A-130, Appendix III, and USAID\xe2\x80\x99s ADS 545 require reviews to\nassess security controls. ADS 545 specifies the Mission official responsible, in\nconjunction with other staff members, for performing an annual self-evaluation\nreview of the information systems security program. USAID/South Africa\nperformed a security evaluation of the Mission\xe2\x80\x99s information systems, but this effort\nhad inherent problems. In April 2003, the Mission conducted a compliance review\nof its information systems that contained numerous inaccuracies and non-\nresponses. This occurred because the former Mission staff member who\nperformed the assessment did not use the assistance of Mission\xe2\x80\x99s technical staff.\nThe lack of an accurate and complete computer security review has resulted in the\nMission having a diagnostic tool that it cannot rely upon to identify and mitigate\ncomputer security risks.\n\nOMB\xe2\x80\x99s Circular A-130, Appendix III, states that agencies should review the\nsecurity controls in each system when significant modifications are made to the\nsystem, or at least every three years. USAID\xe2\x80\x99s ADS 545 goes further by making\nthe Information Systems Security Officer (ISSO) responsible for conducting\nannual self-evaluation reviews of the information systems security program\nmanaged by the ISSO. The Unclassified Information System Compliance Review\n\n\n\n                                                                                   9\n\x0cquestionnaire (AID 545-3 [6/2001]) states that the ISSO \xe2\x80\x9cin conjunction with the\nProgram Manager, System Manager/IT Specialist and other appropriate security\npersonnel, must use this questionnaire.\xe2\x80\x9d The questionnaire must be used for\n\xe2\x80\x9cconducting an annual review of the security posture of each system operating in\nsupport of their mission or program.\xe2\x80\x9d Further, AID 545-3 states that the\nquestionnaire was developed for use as a guideline, and that the ISSO must use\nthe questionnaire for \xe2\x80\x9cassessing compliance with Federal and USAID information\nsystems security policies, procedures and regulations governing electronic data\nprocessing and storage.\xe2\x80\x9d All noted deficiencies in the review are required to be\naddressed in a corrective action plan.\n\nRecommendation No. 1, component #5, recommended that USAID/South Africa\nimplement a computer security program that included evaluating and monitoring the\neffectiveness of its security program. In response to this recommendation, on April\n23, 2003, a Mission official performed a security review using the AID 545-3\nquestionnaire. However, of the questionnaire\xe2\x80\x99s 43 questions, 7 had incorrect\nanswers and 13 were not answered. An example of one of the questions incorrectly\nanswered was \xe2\x80\x9cHave the contingency operation plans been successfully practiced or\nimplemented within the last year?\xe2\x80\x9d The incorrect response was \xe2\x80\x9cyes\xe2\x80\x9d. An example\nof one of the questions not answered was \xe2\x80\x9cAre up-to-date contingency operation\nplans in place?\xe2\x80\x9d\n\nThe problems with the April 2003 security review were attributed to a lack of\nknowledge by the former ISSO who completed the review. According to Mission\nstaff, the former ISSO official who completed the questionnaire did so without the\nassistance of the Mission\xe2\x80\x99s technical staff. In addition, the unanswered questions\nmay have reflected unfamiliarity with the Mission\xe2\x80\x99s information system.\n\nThe lack of an accurate and complete computer security review has resulted in the\nMission having a diagnostic tool that it cannot rely upon to identify and mitigate\ncomputer security risks. In conclusion, based on the significant problems identified\nwith the current security review, we believe it would be prudent for the Mission to\ncorrect and complete its 2003 security review. Therefore, we are making the\nfollowing recommendation.\n\n       Recommendation No. 2: We recommend that USAID/South Africa\n       correct and complete its April 2003 security review questionnaire to\n       better evaluate and monitor the effectiveness of its security program.\n\n\n\n\n                                                                                 10\n\x0cManagement   In response to our draft report, USAID/South Africa management concurred with\nComments     Recommendation Nos. 1 and 2. The Mission also provided corrective action\n             plans and target completion dates for both recommendations. Therefore, we\nand Our\n             consider that management decisions have been reached for both recommendations\nEvaluation   upon final report issuance.\n\n\n\n\n                                                                                       11\n\x0c[This page intentionally left blank.]\n\n\n\n\n                                        12\n\x0c                                                                                      Appendix I\n\nScope and     Scope\nMethodology\n              The Regional Inspector General/Pretoria conducted this audit in accordance with\n              generally accepted government auditing standards. The audit, covering the period\n              from January 2002 through October 2003, reviewed the corrective final actions\n              taken by the Mission on Recommendation No. 1 from our January 2002 audit\n              report on USAID/South Africa\xe2\x80\x99s general computer controls. In planning and\n              performing the audit, we tested and assessed significant management controls\n              related to the Mission\xe2\x80\x99s information systems. In this effort, we tested the process\n              used by the Mission to ensure that its employees and visitors obtain the\n              appropriate authorization in order to access to the Mission\xe2\x80\x99s information systems.\n              Further, we also assessed the management controls used to protect the Mission\xe2\x80\x99s\n              information systems from unauthorized users and prohibited uses. The types of\n              evidence examined during the audit included\xe2\x80\x94but were not limited to\xe2\x80\x94the\n              Mission\xe2\x80\x99s Security Plan and draft Contingency Plan, relevant documents\n              concerning the Mission\xe2\x80\x99s efforts to improve computer controls, and testimony\n              from USAID/South Africa staff. The audit was conducted at USAID/South Africa\n              in Pretoria, South Africa, from September 25 to October 21, 2003.\n\n              Methodology\n\n              The purpose of this audit was to review the Mission\xe2\x80\x99s corrective final actions on\n              Recommendation No. 1. Specifically, the audit was designed to answer the\n              question, \xe2\x80\x9cHas USAID/South Africa taken corrective final actions on\n              Recommendation No. 1 of Audit Report No. 4-674-02-002-P, Audit of\n              USAID/South Africa\xe2\x80\x99s Information Systems General Computer Controls?\xe2\x80\x9d To\n              answer the audit\xe2\x80\x99s objective, we reviewed Mission documents and interviewed\n              Mission officials.   Some of these documents included the Mission\xe2\x80\x99s (1)\n              memorandum recommending the closure of Recommendation No. 1 to USAID\xe2\x80\x99s\n              Office of Management Planning and Innovation, (2) April 2003 security review, (3)\n              draft contingency plan, (4) security plan, (5) completed computer system access\n              forms, and (6) computer security training list of participants.\n\n              We also relied upon Audit Report No. 4-674-02-002-P (issued by RIG/Pretoria on\n              January 15, 2002), on which this review was based, in order to (1) identify and\n              review the criteria that had been used and (2) gain an understanding of the reported\n              findings. We reviewed each of the five components that comprise Recommendation\n              No. 1 and the associated critical findings identified in the prior audit report. For\n              each finding, we determined if the problem areas had been addressed. These\n              determinations were based on professional judgment and served as the basis for\n              deciding whether to concur that reported final actions effectively addressed\n              components in Recommendation No. 1. In the two instances where the Mission\xe2\x80\x99s\n              actions did not effectively address the specific components in Recommendation No.\n              1, we decided to reopen those particular components.\n\n\n\n                                                                                               13\n\x0cThe nature of this audit did not lend itself to materiality thresholds; thus none were\ndeveloped.\n\n\n\n\n                                                                                   14\n\x0c                                                                                           Appendix II\n\n\nManagement\n                                                                                          January 2, 2004\nComments\n             MEMORANDUM\n\n             TO:         Jay Rollins, RIG/Pretoria\n\n             FROM:       Dirk Dijkerman, Mission Director /s/\n\n             SUBJECT: Management Comments to Follow-up Audit to Audit Report No. 4-674-02-002-P\n\n             Executive Office/Data Management Division staff reviewed the recommendations of the subject\n             audit report and I concur with their proposed management comments reproduced below:\n\n             Recommendation No. 1: We recommend that USAID/South Africa complete and\n             test its information systems contingency plan.\n\n             USAID/South Africa intends to complete its information systems contingency plan in January\n             2004 and test the plan no later than February 29, 2004.\n\n             Recommendation No. 2: We recommend that USAID/South Africa correct and complete\n             its April 2003 security review questionnaire to better evaluate and monitor the effectiveness\n             of its security program.\n\n             USAID/South Africa intends to have a qualified official re-administer the Unclassified\n             Information System Compliance Review questionnaire prescribed by ADS 545-3 no later than\n             March 31, 2004 and annually thereafter (or more frequently should significant system\n             modifications be carried out).\n\n\n             cc:     ESchaeffer, RFMO\n                     LNortje, EXO/DMD\n\n\n             Cleared:        BSchaeffer, EXO /s/\n\n                             KFickenscher, A/DD /s/\n\n\n\n\n                                                                                                       15\n\x0c"